Way back a long time ago, Thompson and Ritchie were sitting opposite one another at the commissary, sipping coffees and discussing their evolving behemoth.
“This behemoth of ours,” said Ken, “is becoming rather popular, wouldn't you say?” “Yes,” said Dennis. “Every time I want to do a compilation, I have to wait for hours and hours. It's infuriating.” They both agreed that the load on their system was too great. Both sighed, picked up their mugs, and went back to the workbench. Little did they know that an upper-management type was sitting just within earshot of their conversation.
“We are AT&T Bell Laboratories, aren't we?” the upper-management type thought to himself. “Well, what is our organization best known for?” The brill-cream in his hair glistened. “Screwing people out of lots of money, of course! If there were some way that we could keep tabs on users and charge them through the nose for their CPU time...”
The accounting utilities were born.
Seriously though, the accouting utilities can provide a system administrator with useful information about system usage—connections, programs executed, and utilization of system resources.
Information about users—their connect time, location, programs
executed, and the like—is automatically recored in files by
init
and login
. Four of them are of interest to us:
wtmp
, which has records for each login and logout;
acct
, which records each command that was run;
usracct
and savacct
, which contain
summaries of the information in acct
by user and
command, respectively. Each of the accounting utilities reports or
summarizes information stored in these files.
ac
ac
can tell you how
long a particular user or group of users were connected to your system,
printing totals by day or for all of the entries in the
wtmp
file.
accton
last
last
,
you can search the wtmp
file for a particular user or
terminal name (to which the user was connected). Of special interest
are two fake users, `reboot' and `shutdown', which are
recorded when the system is shut down or reboots.
lastcomm
last
, you can search the
acct
file for a particular user, terminal, or command.
sa
acct
file into the
savacct
and usracct
file. It also
generates reports about commands, giving the number of invocations, cpu
time used, average core usage, etc.
dump-acct
dump-utmp
acct
and utmp
files in a human-readable format.
For more detailed information on any of these programs, check the chapter with the program title.
The wtmp
and acct
files seem to live in different places
and have different names for every variant of u*x that exists. The name
wtmp
seems to be standard for the login accounting file, but the
process accounting file might be acct
or pacct
on your
system. To find the actual locations and names of these files on your
system, specify the --help
flag to any of the programs in this
package and the information will dumped to standard output.
Regardless of the names and locations of files on your system, this
manual will refer to the login accounting file as wtmp
and the
process accounting files as acct
, savacct
, and
usracct
.
I don't have any idea who originally wrote these utilities. If anybody
does, please send some mail to noel@gnu.ai.mit.edu
and I'll add
your information here!
Since the first alpha versions of this software in late 1993, many people have contributed to the package. They are (in alphabetical order):
Eric Backus <ericb@lsid.hp.com>
gcc
and tacked on -Wall
etc. He also noticed that
file_rd.c
was doing pointer arithmetic on a void *
pointer
(non-ANSI).
Christoph Badura <bad@flatlin.ka.sub.org>
Michael Calwas <calwas@ttd.teradyne.com>
Derek Clegg <dclegg@apple.com>
Alan Cox <iiitac@pyr.swan.ac.uk>
Scott Crosby <root@hypercube.res.cmu.edu>
--sort-real-time
for sa
.
Solar Designer <solar@false.com>
--ahz
flag in lastcomm
and sa
.
Dirk Eddelbuettel <edd@miles.econ.queensu.ca>
Jason Grant <jamalcol@pc-5530.bc.rogers.wave.ca>
sa
.
Kaveh R. Ghazi <ghazi@caip.rutgers.edu>
Susan Kleinmann <sgk@sgk.tiac.net>
Alexander Kourakos <Alexander@Kourakos.com>
--wide
option for last
.
Marek Michalkiewicz <marekm@i17linuxb.ists.pwr.wroc.pl>
--ip-address
flag for last
.
David S. Miller <davem@caip.rutgers.edu>
Walter Mueller <walt@pi4.informatik.uni-mannheim.de>
Ian Murdock <imurdock@gnu.ai.mit.edu>
Tuomo Pyhala <tuomo@lesti.kpnet.fi>
--strict-match
flag in lastcomm
.
Luc I. Suryo <root@patriots.nl.mugnet.org>
--user
flag for lastcomm
.
Pedro A M Vazquez <vazquez@iqm.unicamp.br>
Marco van Wieringen <Marco.van.Wieringen@mcs.nl.mugnet.org>
ac
The ac
command prints out a report of connect time (in hours)
based on the logins/logouts in the current wtmp
file.
A total is also printed out.
The accounting file wtmp
is maintained by init
and login
. Neither of these programs creates the file; if the
file is not there, no accounting is done. To begin accounting, create
the file with a length of zero. NOTE: the
wtmp
file can get really big, really fast. You might
want to trim it every once and a while.
GNU ac
works nearly the same u*x ac
, though it's a little
smarter in its printing out of daily totals—it actually prints
every day, rather than skipping to the date of the next entry in
the wtmp
file.
All of the original ac
's options have been implemented, and a few have
been added. Normally, when ac
is invoked, the output looks like
this:
total 93867.14
where total is the number of hours of connect time for every entry in
the wtmp
file. The rest of the flags modify the
output in one way or another.
-d
--daily-totals
Jul 3 total 1.17 Jul 4 total 2.10 Jul 5 total 8.23 Jul 6 total 2.10 Jul 7 total 0.30
-p
--individual-totals
bob 8.06 goff 0.60 maley 7.37 root 0.12 total 16.15
-f
filename--file
filenamewtmp
file.
--complain
wtmp
file has a problem (a time-warp, missing
record, or whatever), print out an appropriate error.
--reboots
ac
's automatically count the
time between the login and the reboot record against the user (even
though all of that time shouldn't be, perhaps, if the system is
down for a long time, for instance). If you want to count this time,
include the flag. To make ac
behave like the one that
was distributed with your OS, include this flag.
--supplants
ac
behave like the one that was distributed with your OS, include
this flag.
--timewarps
wtmp
file will suddenly jump
back into the past without a clock change record occurring. It is
impossible to know how long a user was logged in when this occurs. If
you want to count the time between the login and the time warp against
the user, include this flag. To make ac
behave like the
one that was distributed with your OS, include this flag.
--compatibility
-a
--all-days
-y
--print-year
--print-zeros
--debug
--tw-leniency
valuewtmp
files might be slightly out of order (most
notably when two logins occur within a one-second period – the second
one gets written first). By default, this value is set to 1 second.
Some wtmp
's are really screwed up (Suns) and require a
larger value here. If the program notices this problem, time is not
assigned to users unless the --timewarps
flag is used. See the
Problems section for more information.
--tw-suspicious
valuewtmp
file are farther than this number of seconds
apart, there is a problem with the wtmp file (or your machine
hasn't been used in a year). If the program notices this problem, time
is not assigned to users unless the --timewarps
flag is used.
-V
--version
ac
's version number.
-h
--help
ac
's usage string and default locations of system files to
standard output.
For no fault of ac
's, if two logins occur at the same time
(within a second of each other), each login
process will try to
write an entry to the wtmp
file. With file system
overhead, it is forseeable that the entries would get written in the
wrong order. GNU ac
automatically compensates for this, but some
other ac
s may not... beware.
I've tested the standard ac
in Ultrix 4.2 (DECstation/DECsystem),
SunOS 4.1.1 (Sun3, Sun4, Sparc), Mach 2.5 (Omron/Luna), and DomainOS
10.3 (DN3500). All of these ac
s have trouble parsing entries in
which the line is ftp
xxxx (xxxx being some number).
Whenever these ac
s see one of these entries, they log everyone
out at the time of the entry.
HOW IT HAPPENS: if there is a user logged into the machine when an ftp connection occurs, (minimally) you'll get a login record for the user, a login record for the ftp connection, and the logouts for both afterwards (in either order).
TANGIBLE RESULT: the user who was logged in gets 'logged out'
at the time the ftp connection begins, and none of the time spent during
or after the ftp connection. Therefore, when you run GNU ac
,
the totals will most likely be greater than those of your system's
ac
(provided you specify the other flags that will make GNU
ac
behave like the system's).
On Suns, init
is a little screwed up. For some reason, after a
shutdown record is written, a reboot record is written with a time-stamp
before the shutdown (less than 30 seconds, usually).
TANGIBLE RESULT: GNU ac
will notice the problem, log
everyone out (you can specify if you want the time to be added to the
user's total) and begin a new day entry based on the time of the
out-of-sync record. If you try to print out daily totals, you'll notice
that some days might have two or more entries.
SOLUTION: To fix this, a timewarp leniency value has been implemented. If any record is out of order by this number of seconds (defaults to 60) it gets ignored. If you need to change this value (if you think the totals are off because the value is too high), you can change it using the `--timewarp-value' flag. The rationale for the 60 second default is that of all of the machines with this problem, the largest timewarp was 45.
Some ac
's on System V machines (I've tried SGI Indigo & SGI Indy)
forget to pay attention to the ut_type
field in a struct
utmp
. As such, they chalk up a lot of time to non-existant processes
called LOGIN
or runlevel
.
TANGIBLE RESULT: The amount of total time reported by the
system's ac
is really off. Often, it's several times
greater than what it should be.
SOLUTION: GNU ac
always pays attention to the
ut_type
record, so there's no possibility of chalking up time to
anything but user processes.
accton
accton
turns process accounting on or off. To save process
accounting information in accountingfile, use:
accton
accountingfile
If called with no arguments, it will, by default, stop process accounting.
-V
--version
accton
's version number.
-h
--help
accton
's usage string and default locations of system files
to standard output.
last
last
looks through the wtmp
file (which records
all logins/logouts) and prints information about connect times of users.
Records are printed from most recent to least recent. Records can be
specified by tty and username. tty names can be abbreviated: `last
0' is equivalent to `last tty0'.
Multiple arguments can be specified: `last root console' will print
all of the entries for the user root
and all entries logged in on
the console
tty.
The special users reboot
and shutdown
log in when the
system reboots or (surprise) shuts down. `last reboot' will
produce a record of reboot times.
If last
is interrupted by a quit signal, it prints out how far
its search in the wtmp
file had reached and then
quits:
weerapan ttyq6 132.162.32.37 Mon Feb 15 19:07 - 19:21 (00:13) weerapan ttyq6 132.162.32.37 Mon Feb 15 19:07 - 19:21 (00:13) interrupted at Mon Feb 15 19:07:52 1993
This program implements the features of regular u*x last
with a few
extra flags. When last
is invoked with no arguments, the output
looks like this:
gr151 ttyp2 ray.cs.oberlin.e Tue Feb 16 17:40 still logged in jhoggard ttyp2 csts.cs.oberlin. Tue Feb 16 17:39 - 17:39 (00:00) jstarr ttyp1 UNIX5.ANDREW.CMU Tue Feb 16 17:38 still logged in jberman ttypb 132.162.32.25 Tue Feb 16 17:34 still logged in alee ttyp7 csts.cs.oberlin. Tue Feb 16 17:34 still logged in jbrick ttyp2 ocvaxa.cc.oberli Tue Feb 16 17:33 - 17:36 (00:03) mbastedo ttypc ocvaxa.cc.oberli Tue Feb 16 17:25 - 17:26 (00:01) rgoodste ttypb ocvaxa.cc.oberli Tue Feb 16 17:22 - 17:26 (00:03) huttar ttyp9 lobby.ti.com Tue Feb 16 17:19 still logged in klutz ttyp3 132.162.32.25 Tue Feb 16 17:14 still logged in
--no-truncate-ftp-entries
ftp
xxxx entries.
-
number-n
number--lines
numberlast
prints.
-f
filename--file
filenamewtmp
file.
-y
--print-year
-s
--print-seconds
--complain
wtmp
file has a problem (a time-warp, missing
record, or whatever), print out an appropriate error.
-x
--more-records
-a
--all-records
wtmp
file.
-i
--ip-address
last
print the IP address instead of
the hostname.
--tw-leniency
valueac
chapter for information.
--tw-suspicious
valueac
chapter for information.
-w
--wide
last
tries to print each entry within in 80 columns.
Use this option to instruct last
to print out the fields in the
wtmp
file with full field widths.
--debug
-V
--version
last
's version number.
-h
--help
last
's usage string and default locations of system files
to standard output.
Of the last
s I've tried, all of them have had problems parsing a
system clock change. Instead of modifying the entries that have been
read, they just ignore the change and give you incorrect values. GNU
last
knows about clock changes and prints the correct times.
TANGIBLE RESULT: if you diff
the output of your
last
and GNU last
, entries after (before, rather) a clock
change will be off by the amount of the clock change.
Most last
s that I've examined have the same problem here as
ac
does—they log everyone out as soon as they see an ftp entry.
TANGIBLE RESULT: GNU last
will reflect the correct time
spent in an ftp session, so the totals that it gives will most likely be
greater than those given by the system last
.
lastcomm
lastcomm
prints out information about previously executed
commands. If no arguments are specified, lastcomm
will print
info about all of the commands in the acct
file (the
record file). If called with a command name, user name, or tty name,
only records containing those items will be displayed. For example, to
find out which users used command `a.out' and which users were
logged into `tty0', type:
lastcomm a.out tty0
This will print any entry for which `a.out' or `tty0' matches in any of the record's fields (command, name, or tty). If you want to find only items that match ALL of the arguments on the command line, you must use the '–strict-match' option. For example, to list all of the executions of command `a.out' by user `root' on terminal `tty0', type:
lastcomm --strict-match a.out root tty0
The order of the arguments is not important.
For each entry the following information is printed:
This program implements the features of regular u*x lastcomm
with
a few extra flags. When lastcomm
is invoked without arguments,
the output looks like this:
nslookup jberman ttypb 0.03 secs Tue Feb 16 19:23 comsat root __ 0.03 secs Tue Feb 16 19:19 uptime ctilburg __ 0.11 secs Tue Feb 16 19:23 sh F ctilburg __ 0.02 secs Tue Feb 16 19:23 sleep ctilburg __ 0.02 secs Tue Feb 16 19:22 ls noel ttyp4 0.19 secs Tue Feb 16 19:23
--strict-match
--user
nameed
).
--command
name--tty
name-f
filename--file
filenameacct
file.
--ahz
hzAHZ
should be (in hertz).
This option is useful if you are trying to view an acct
file
created on another machine which has the same byte order and file format
as your current machine, but has a different value for AHZ
.
--debug
--version
lastcomm
's version number.
--help
lastcomm
's usage string and default locations of system
files to standard output.
sa
sa
summarizes information about previously executed commands as
recorded in the acct
file. In addition, it condenses this data
into the savacct
summary file, which contains the
number of times the command was called and the system resources used.
The information can also be summarized on a per-user basis; sa
will save this information into usracct
. Usage:
sa [
opts] [
file]
If no arguments are specified, sa
will print information about
all of the commands in the acct
file. If command
names have unprintable characters, or are only called once, sa
will sort them into a group called ***other
.
If called with a file name as the last argument, sa
will use that
file instead of acct
.
By default, sa
will sort the output by sum of user and system
time.
The output fields are labeled as follows:
cpu
re
k
avio
tio
k*sec
u
s
Note that these column titles do not appear in the first row of the
table, but after each numeric entry (as units of measurement) in every
row. For example, you might see 79.29re
, meaning 79.29 cpu
seconds of “real time.”
An asterisk will appear after the name of commands that forked but
didn't call exec
.
The availability of these program options depends on your operating
system. In specific, the members that appear in the struct acct
of your system's process accounting header file (usually acct.h
)
determine which flags will be present. For example, if your system's
struct acct
doesn't have the ac_mem
field, the installed
version of sa
will not support the --sort-cpu-avmem
,
--sort-ksec
, -k
, or -K
options.
In short, all of these flags may not be available on your machine.
-a
--list-all-names
sa
not to sort those command names with unprintable
characters and those used only once into the `***other
' group.
-b
--sort-sys-user-div-calls
-c
--percentages
-d
--sort-avio
-D
--sort-tio
-f
--not-interactive
--threshold
option, assume that all answers to
interactive queries will be affirmative.
-i
--dont-read-summary-file
savacct
.
-j
--print-seconds
-k
--sort-cpu-avmem
-K
--sort-ksec
-l
--separate-times
cpu
.
-m
--user-summary
-n
--sort-num-calls
-r
--reverse-sort
-s
--merge
savacct
and usracct
.
-t
--print-ratio
*ignore*
will appear in this field.
-u
--print-users
-v
num--threshold
numy
, add the
command to the **junk**
group.
--separate-forks
sa
separates statistics for a particular executable depending on
whether or not that command forked. Therefore, GNU sa
lumps this
information together unless this option is specified.
--sort-real-time
--ahz
hzAHZ
should be (in hertz).
This option is useful if you are trying to view an acct
file
created on another machine which has the same byte order and file format
as your current machine, but has a different value for AHZ
.
--debug
-V
--version
sa
's version number.
-h
--help
sa
's usage string and default locations of system files to
standard output.
Note: if more than one sorting option is specified, the list will be sorted by the one specified last on the command line.
I haven't been able to test this on many different machines because the data files grow so big in a short time; our sysadmin would rather save the disk space.
Most versions of sa
that I've tested don't pay attention to flags
like --print-seconds
and --sort-num-calls
when printing
out commands when combined with the --user-summary
or
--print-users
flags. GNU sa
pays attention to these flags
if they are applicable.
The average memory use is stored as a short rather than a double, so we
suffer from round-off errors. GNU sa
uses double the whole way
through.